President Obama is currently hosting Chinese President Xi Jinping for his first U.S. state visit amid tensions over a potential cyber security “arms control agreement”. A new report Wednesday from Palo Alto Networks confirms Chinese cyber attacks on a U.S. government entity and a European media company.
This latest China-based attack on U.S. government interests follows a week after a Trend Micro report of an extended, ongoing cyber attack campaign against U.S. government contractors. This attack, named Operation Iron Tiger, was confirmed to have exfiltrated terabytes of data from its defense contractor victims. Iron Tiger was believed to have been aided by use of earlier-stolen Office of Personnel Management data.
3102 attack on U.S. government agency
Palo Alto Networks confirmed Wednesday that it observed two targeted attacks this past May by Chinese hackers. In its report entitled Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media, the security company reported that Chinese threat actors delivered identical documents to both victims via spear-phishing emails. The phishing mail was sent on May 6, 2015 and the second on May 11, 2015, to a U.S. government agency and an E.U. media concern, respectively.
The “decoy” document sent via the emails “displays a list of names and email addresses of individuals allegedly associated with the Hong Kong Professional Teachers’ Union,” Palo Alto Networks’ report said.
The 3102 malware delivered via the phishing attack required hackers to subsequently send executable plugins. The attackers then sent each victims three plugins. The first plugin enables the malware “to carry out file system activities, such as reading, writing and searching for files, as well as to enumerate storage devices and volumes.” The second has functionality overlap with the first but also enables the hackers to remove folders and execute files. The third allows the hackers to perform screen captures as well as allows the operator to interact with the system by sending key strokes, mouse movements and mouse clicks.
Tie to a private Chinese company
The report further indicates, “[r]esearch on registrant information used to set up infrastructure for these attacks led to ties within the hacking community in China, indicating the threat group behind this activity is likely Chinese-based. Interestingly, the tie to a private Chinese company further indicates they are likely being hired as contractors, in contrast to” other threat groups that have been associated with the Chinese military.” Ryan Olson, Director of Threat Intelligence, Unit 42, Palo Alto Networks said in a phone interview yesterday that both attacks were unsuccessful in exfiltrating data. He further indicated that the company's release of the report until this week was not timed to coincide with Xi's visit to the U.S.
These attacks showed commonalities with a June 2015 attack on the website of the president of Myanmar believed to be designed to target and gather information on individuals in Myanmar involved in political relations with the country and/or organizations doing business in Myanmar.
Update to Trend Micro’s Operation Iron Tiger White Paper
As FORBES reported last week, Trend Micro released a white paper, Operation Iron Tiger, in which it reported that numerous security tech intensive U.S. defense contractors were hacked and continuously monitored since 2013 until this year. Attacks appeared to be ongoing, though slowed, Trend Micro representative Thomas Kellerman, Vice President of Cybersecurity, informed FORBES in an interview. As reported, these threats are believed to present a substantial risk to U.S. defense interests.
Trend Micro’s Dr. Ziv Chang, Sr. Director, Cyber Safety Solutions, Core Technology at Trend Micro and first author on the report stated that that the attackers’ aims to target very important persons, engineers, and public relations/communication officers was evidenced as recently as February 17, 2015.
Thomas Kellerman, the company’s Vice President of Cybersecurity informed FORBES in a followup to our first report that he believed that data stolen from the U.S. Office of Personnel Management in the April 2015 breach of the OPM systems was used and continues to be used in this hack. The day after publication of the FORBES article it was taken offline by Trend Micro.
The following day Trend Micro issued this statement: Sept. 22, 2015 12:25 AM EDT – Yesterday Jon Clay, senior manager, global threat communications, Trend Micro, stated: “We are currently reviewing new information related to the ‘Operation Iron Tiger’ report and the current version is no longer available. Thank you for your patience and understanding.”
In response to our additional questions regarding the report’s removal, Trend Micro issued a further statement in connection with its Operation Iron Tiger white paper. The full statement of Trend Micro is as follows:
“According to, Raimund Genes, CTO, Trend Micro:
‘In regards to the retraction of the ‘Operation: Iron Tiger’ report we would like to clarify that the information is factually accurate. However, there were specific attributions to individuals in the report, which fall outside our research policy and high standards. In these cases, we typically work with legal authorities initially to help bring perpetrators to justice. Unfortunately, this process was not followed for this report. Trend Micro has an established reputation of consistently delivering high quality research that help various audiences better understand the latest threats and their potential impact. We take this responsibility very serious, making this incident unique and isolated. Moving forward, we will work diligently to ensure our own strict standards are thoroughly applied. We apologize for any inconvenience.’”
Forbes withheld publishing the name of the individual identified in the Trend Micro white paper in both its initial and subsequent reporting on the white paper. Repeated requests whether the report would be reissued remained unanswered.
Trend Micro announced on August 31, 2015 that AsiaInfo Technologies (China) Co., Ltd. would acquire Trend's Chinese subsidiary. The deal is expected to close at the end of this year.
Cyber arms control agreement unlikely: Obama administration official
An agreement on cyber arms control is unlikely to be concluded, Ben Rhodes, the deputy national security adviser for strategic communications, told reporters Tuesday. Reports of bilateral agreement talks came amidst U.S. indications of potential sanctions that have been repeatedly threatened by the Obama administration and were, at the beginning of this month, even predicted by unnamed administration offices to be announced prior to Xi’s U.S. visit.
